VYPR

npm package

fast-xml-builder

pkg:npm/fast-xml-builder

Vulnerabilities (2)

  • CVE-2026-44665MedMay 13, 2026
    affected < 1.1.7fixed 1.1.7

    fast-xml-builder builds XML from JSON. Prior to 1.1.7, when an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML.

  • CVE-2026-44664MedMay 13, 2026
    affected >= 1.1.5, < 1.1.6fixed 1.1.6

    fast-xml-builder builds XML from JSON. In 1.1.5, the fix for CVE-2026-41650 in fast-xml-parser sanitizes -- sequences in XML comment content using .replace(/--/g, '- -'). This skip the values containing three consecutive dashes (e.g., --->...), allowing an attacker to break out o